Handle partial snapshot restore due to stack overflow.

Reported by pwnhacker0x18. Fixed by Peter Cawley. #1196

2 files changed, 9 insertions, 4 deletions

diff --git a/src/lj_debug.c b/src/lj_debug.c
index bca1d7a5..abb7572c 100644
--- a/src/lj_debug.c
+++ b/src/lj_debug.c
@@ -102,9 +102,12 @@ static BCPos debug_framepc(lua_State *L, GCfunc *fn, cTValue *nextframe)
   pos = proto_bcpos(pt, ins) - 1;
 #if LJ_HASJIT
   if (pos > pt->sizebc) {  /* Undo the effects of lj_trace_exit for JLOOP. */
-    GCtrace *T = (GCtrace *)((char *)(ins-1) - offsetof(GCtrace, startins));
-    lua_assert(bc_isret(bc_op(ins[-1])));
-    pos = proto_bcpos(pt, mref(T->startpc, const BCIns));
+    if (bc_isret(bc_op(ins[-1]))) {
+      GCtrace *T = (GCtrace *)((char *)(ins-1) - offsetof(GCtrace, startins));
+      pos = proto_bcpos(pt, mref(T->startpc, const BCIns));
+    } else {
+      pos = NO_BCPOS;  /* Punt in case of stack overflow. */
+    }
   }
 #endif
   return pos;
diff --git a/src/lj_trace.c b/src/lj_trace.c
index d015f2ab..8385f3d1 100644
--- a/src/lj_trace.c
+++ b/src/lj_trace.c
@@ -788,8 +788,10 @@ int LJ_FASTCALL lj_trace_exit(jit_State *J, void *exptr)
   exd.J = J;
   exd.exptr = exptr;
   errcode = lj_vm_cpcall(L, NULL, &exd, trace_exit_cp);
-  if (errcode)
+  if (errcode) {
+    setcframe_pc(cframe_raw(L->cframe), L);  /* Point to any valid memory. */
     return -errcode;  /* Return negated error code. */
+  }
 
   lj_vmevent_send(L, TEXIT,
     lj_state_checkstack(L, 4+RID_NUM_GPR+RID_NUM_FPR+LUA_MINSTACK);